Digital Evidence Analysis: Steganography Detection
On this page, find:
What Is Steganography and How Is It Used for Illegal Activities?
Steganography is the technique of hiding a message inside another seemingly harmless message (such as a grocery list or a
spam e-mail) so that no one suspects the existence of the hidden message. Though the practice dates back to the days of the
ancient Greeks, the advent of the personal computer spawned the creation of new digital steganographic techniques — messages
hidden in text, image and video files.
Steganography, also known as steg or stego, poses a major challenge to law enforcement. Often, the files are not just hidden
but also encrypted, adding another layer of security in attempts to thwart investigators. Data can be hidden "in plain sight"
in a wide range of digital files, including video and music. Files on a computer's hard disk can be made invisible to those
who do not have the file name and its corresponding password.
Not only are there many steganographic algorithms and programs readily available, but their techniques are growing in sophistication.
Currently, there are more than 30 publicly available steg-encoding programs employing many different encryption algorithms
and these diverse techniques have to date precluded any universal test for steganography.
One of the most common illicit uses of steganography is for the possession and storage of child pornography images. However,
steganography can also be used to commit fraud, terrorist activities and other illegal acts.
Steganography made news headlines when the U.S. Department of Justice charged 11 individuals in two separate criminal complaints with conspiring to act as unlawful agents of the Russian Federation within the United
States. The defendants allegedly used steganography to embed messages in more than 100 image files posted on public websites.
Steganography: Challenges to Law Enforcement
Although there have been some advances in steganography detection and breaking, there is currently no single easy-to-use tool
available to law enforcement. Several factors heighten the challenge faced by law enforcement in detecting steganography:
- Steganography detection is usually handled separately from steganography decryption. An automated tool that integrates steg
detection and decryption in a way that is familiar and easily accessible to law enforcement has not been developed.
- Newer steganography-encoding techniques are being rapidly developed, rendering the current detection tools ineffective.
- Video steganography is an emerging problem area for law enforcement, but there are currently no detection tools available.
NIJ is currently funding two projects to help detect the use of steganography in criminal activities. First, the University
of Rhode Island is developing a module that aims to address the needs of steganography detection, decryption and original
This automated steganography detection tool could:
- Identify altered files and flag for further investigation.
- Begin working to "break" the file's encryption and uncover the hidden material.
- Be integrated into existing technology suites.
A range of steganography tools are available from WetStone Technologies; the new steganography-detection algorithms being
developed by University of Rhode Island will be integrated into the company's StegoSuite. (Law enforcement personnel should
contact WetStone Exit Notice for pricing.)
For the second project, NIJ awarded a grant to the Defense Cyber Crime Center (DC3), which is developing technologies to identify
and defeat steganography, data encryption and Encrypting File Systems (EFS). Through this project, DC3 develop or improve the following:
- Steganalysis and Steg-Extraction: DC3 will develop one or more methods of extracting data hidden by steganography programs
identified through the steganalysis process. Three new tools are expected to identify at least 36 steg algorithms with reasonable
- Registry Examination: DC3 will develop a tool which - based on evidence found in the Windows registry - will output a list
of steganography programs that have been run from the suspect's system, independent of whether the programs were run from
the hard drive or external media, such as a thumb drive, CD or floppy disk.
- Forensic Carving Tool: The general purpose forensic carving tool will continue to be upgraded, adding features that are deemed useful to the law
enforcement and forensic communities.
The tools will be distributed for free to state and local law enforcement.
Date Created: November 5, 2010